Teleport - monitor commands being sent

Hello Team,

is it possible in any way to monitor which commands is a user, connected to the web shell, trying to execute in “real time”?

I know about the possibility to see the recorded session, but I was wondering if the was a way to do this type of check.

Thank you for your assistance.

This isn’t a feature that’s offered ‘out of the box’.

With this said, every session that starts on a cluster goes into the audit log with a session.start event and the UUID of the session. One way I can think of to achieve what you’re asking for would be to have some kind of agent which monitors this audit log and automatically runs tsh join <uuid> on each session that it sees. It could then monitor what was being typed in real time and theoretically alert if it detects a certain string being typed.

There are a number of caveats with this:

  1. It wouldn’t be tremendously effective as there are a number of ways to obfuscate commands typed into a terminal so that they won’t match a simple string comparison. There is also the possibility of uploading a script containing malicious code and running it without ever typing rm -rf --no-preserve-root / or whatever…

  2. The audit log is only saved on a per-cluster basis, so you would need to run one of these ‘monitoring agents’ in every Teleport cluster you wanted alerts from.

  3. The audit process would also need to be able to log into Teleport itself and would need permission to log into a terminal as any user that might potentially start a session. This aim could probably be satisfied by issuing a long-lived certificate on each auth server, but it would need to have all potential usernames encoded into it (so if you used individual UNIX usernames for each user and had a large user base this would be hard to maintain)

I’m not actually sure at what point the compressed chunks of the audit log are synced onto the disk by the Teleport node, but if it happens reasonably often then another option might be to tail any new chunk logs in real time and have a process that alerts based on what it sees.

First of all, thank you for your answer.

Yeah I was thinking something that was more similar to the second solution you suggested, since even something simple like reading the chunks should be enough.

I’ve noticed that inside the /log/upload/sessions directory I can find the chunks even if the session of the user is still open and it also seems to be pretty good in terms of delay, so as you were suggesting it should be easy enough to tail the chunk file and check the commands that are being typed.

Excellent - let us know how you get on :slight_smile: